Monday, May 30, 2011

Data Privacy and Protection in India - Letter to Mr. Salman Khursheed

Below was the Letter that I had written to the Law Minister when he was not in-charge and he had asked me to provide the details so that he could have spoken to the then Law Minister Mr. Kapil Sibbal.  Interestingly, after the conversation, I had another round of telecon with the officials and then I sent the mail.  The Govt after a couple days had declared that India is Going in For Data Privacy and Protection regime....

May be coincidental!!! but the mail was written on May 29, 2011 and Govt declaration came in June 1st week :) 


Posted from Drafts on November 25, 2011
______________________________________________________________

Dear Mr. Salman Khursheed,

Please refer to our discussion on the Sets of "We the People" show of NDTV 24/7.  Highlight of the Discussion post the show was the requirement of Data privacy and Protection in India, and you had told me to write a mail to you and you would take it forward with Mr. Sibal, our Law Minister.  However, what I would like to Highlight here is the requirement of Data Privacy and Protection also involves following Ministries -
  1. Information and Broadcasting Ministry
  2. Ministry of IT and Telecom
  3. Human Resource Ministry
  4. Ministry of External Affairs
Well if we actually look at the requirement, the Data Protection is need of the Hour for India.  It would not just help India in being one of the Nations who have strong support for Securing the personal interest of its Law Abiding Citizens by protecting their Personal as well as Sensitive Information.

I had written Post on my blog with respect to this and same is as below.  I hope it would help understand the current lacuna in the Indian IT Act 2000 (amendment Act 2008) and the need to go for a Data privacy and Protection Act -

It is quite interesting to note that when it comes to the Cyber Laws, Indian IT Act 2000 (amended by Information Technology Amendment Bill 2006, passed in Lok Sabha on Dec 22 and in Rajya Sabha on Dec 23 2008 and reinstated at Indian IT Act 2008) is one of the best Cyber Laws in the world.  Incidentally,  India was just the 12th nation when the act was initially put to effect in the year 2000.  However, the Act fails to provide any point with regards to the Privacy of Personal Information.  Today when Identity Theft is one of the prime concerns in the Digital Space, India is lacking big time on the Ensuring the Integrity and Protection of Information as stored, processed and transmitted using information technology and the allied systems.

An Analysis of the Personal Data Protection Law in India by CRID - University of Namur (Submitted to Commission of the European Communities, Directorate General Justice, Freedom and Security) identified the specific lacunae as present in this area.

CRID evaluated Indian Regulatory Scenario in its 71 pager report covering the aspects of  -
  •    Federal Structure
  •    Constitution of India
  •    Judicial System
  •    Administrative Tribunals System
  •    Competence to Legislate on Data Protection
  •    Influence of International Norms
  •    General Legal Protection of Human Rights
  •    Data Protection Legislation
  •    The Right to Privacy in India
  •    Statutory Safeguards of Privacy and Data Protection Interest Outside Data Protection Legislation
  •    The Information Technology Act, 2000
  •    The Amendments to the IT Act 2000
The evaluation of Indian Regulatory / Legal environment around Privacy and / or Protection of Data has been referenced to the Article 25 of Directive 95/46/EC that regulates the transfer of personal data from Member States of the European Union (EU) to "third countries" – i.e., countries outside the EU (and EEA). According to Art. 25(1), transfer of personal data "may take place only if the third country in question ensures an adequate level of protection".

Salient Observations by CRID are -
  • Section 3.1.2.1 on page 30 states - No Such Concept as "Personal Data"
  • Para 2 of the section further elaborates - "The IT Act doesn't provide for any definition of personal data"
  • Section 3.1.4.2 b) states - The research found no express provision in the IT Act requiring data to be kept accurate and up-to-date
  • Para below that (again referred as 3.1.4.2) states - The research haven't found any provision in the IT Act requiring processed and transferred data to be adequate, relevant and not excessive.
  • Section 3.1.4.3 establishes under the Head Principle of Transparency, the Information Technology Act, 2000 has no equivalent provision to the EU Privacy Directive's Articles 10 and 11
  • Section 3.1.4.4 establishes that no specific provision requires particular security requirements that are appropriate to the risks presented by the processing of personal data. Moreover, the IT Act lacks a provision ensuring that personal data should only be processed on the instructions from the controller
  • Section 3.1.4.5 establishes that the IT Act does not provide for any of the principles related to access, rectification and opposition by individual data subjects.
  • Section 3.1.4.6.The principle of Restriction on Onward Transfers establishes that  The IT Act does not provide for such a principle
Through and through, the report highlights the areas where India Lacks in addressing Privacy and / or protection of Personal Data.  The report conclude "Given the absence of any general data protection Act, no Data Protection Authority has been established in India."

The points mentioned above certainly make a point that thought our Cyber Law is one of the Best, but it still is not the Best.  It needs to address the requirements on the lines of European Data Privacy Directive.  Moreover, the one place where India lacks is the general and overall lack of Understanding of its Cyber Laws by the Law Enforcement as well as Justice & Care Departments. A defined action plan needs to be implemented by the Law Makers to ensure that the intent and coverage of the Laws as defined and passed by the apex council are precipitated to the required levels in a manner to increase its Effectiveness and the Efficiency.

अभिनंदनीय
मयंक त्रिवेदी
लक्ष्यहीन जीवन दीशाविहीन एवं व्यर्थ है

No comments: